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DETAILED ACTION 



1. 



Claims 1-60 have been examined. 



Specification 



2. The disclosure is objected to because it contains an embedded hyperlink and/or other 
form of browser-executable code. Applicant is required to delete the embedded hyperlink and/or 
other form of browser-executable code. See MPEP § 608.01. 



The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351 (a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 



Claim Rejections - 35 USC § 102 



3. Claims 1 , 2, 6, 7, 9-22, 26, 27, 31-36, 39-43, 46-50, 53, 56, 59 and 60 are rejected under 
35 U.S.C. 102(e) as being anticipated by Gupta et al. (hereinafter refereed to as Gupta) (US 
Patent No. 6,226,752 B1). 
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4. As per claims 1 and 36, Gupta teaches a method for providing access services, 
comprising the steps of: 

receiving user session state information for a first user [column 1 1 , lines 46-53]; 

receiving resource request information for a first resource [column 11, lines 46-59]; 

receiving a request to authorize said first user to access said first resource [column 12, 
lines 13-27], said request to authorize is from an application without a web agent front end 
(understood by the examiner as a stand alone or multiple application server, i.e., an application 
server not connected behind a web server or any other web agent) [column 1 1 , lines 10-20, and 
column 12, lines 13-27]; and 

attempting to authorize said first user to access said first resource without requiring said 
first user to re-submit authentication credentials [column 12, lines 54-61]. 

5. As per claims 27 and 50, Gupta teaches a method for providing access services by an 
application without a web agent front end, comprising t he steps of: 

receiving an electronic request from a first user to access a first resource, said step of 
receiving includes receiving information from a cookie [column 11, lines 46-67 and column 12, 
lines 1-6]; 

providing said information from said cookie to an access system interface [column 12, 
lines 14-24]; and 

requesting said access system interface to authorize said first user to access said first 
resource based on information from said request from said first user and based on said 
information from said cookie [column 12, lines 14-61]. 



6. 



As per claim 43, Gupta teaches an apparatus, comprising: 
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a communication interface [column 11, lines 25-37 and figures 1 and 2]; 

one or more storage devices [column 1 1 , lines 25-37 and figures 1 and 2]; and 

one or more processors in communication with said one or more storage devices and 
said communication interface [column 1 1 , lines 25-37 and figures 1 and 2], said one or more 
processors programmed to perform a method comprising the steps of: 

receiving user session state information for a first user [column 1 1 , lines 46-53], 
receiving resource request information for a first resource [column 1 1 , lines 46-59], receiving a 
request to authorize said first user to access said first resource [column 12, lines 13-27], said 
request to authorize is from an application without a web agent front end (understood by the 
examiner as a stand alone or multiple application server, i.e., an application server not 
connected behind a web server or any other web agent) [column 1 1 , lines 10-20, and column 
12, lines 13-27], and attempting to authorize said first user to access said first resource without 
requiring said first user to re-submit authentication credentials [column 12, lines 54-61]. 

7. As per claim 53, Gupta teaches an apparatus, comprising: 

a communication interface [column 11, lines 25-37 and figures 1 and 2]; 
one or more storage devices [column 11, lines 25-37 and figures 1 and 2]; and 
one or more processors in communication with said one or more storage devices and 
said communication interface [column 1 1 , lines 25-37 and figures 1 and 2], said one or more 
processors programmed to perform a method for providing access services by an application 
without a web agent front end (understood by the examiner as stand alone or multiple 
application server, i.e., an application server not connected behind a web server or any other 
web agent) [column 11, lines 10-20, and column 12, lines 13-27], the method comprising the 
steps of: 
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receiving an electronic request from a first user to access a first resource, said step of 
receiving includes receiving information from a cookie [column 11, lines 46-67 and column 12, 
lines 1-6], providing said information from said cookie to an access system interface [column 
12, lines 14-24], and requesting said access system interface to authorize said first user to 
access said first resource based on information from said request from said first user and 
based on said information from said cookie [column 12, lines 14-61]. 

8. As per claim 56, Gupta teaches a method for providing access services, comprising the 
steps of: 

authenticating a first user [column 12, lines 24-41]; 

causing user session state information to be stored at a client for said first user [column 
12, lines 50-56]; 

authorizing said first user to access a first protected resource [column 12, lines 42-51]; 

receiving a request from an application without a web agent front end to allow said first 
user to access a second protected resource, said step of receiving a request includes receiving 
said user session state information from said application [column 1 1 , lines 46-53]; 

allowing said first user to access said second protected resource without requiring said 
first user to re-submit authentication credentials, if said first user is authorized to access said 
second protected resource [column 12, lines 41-61 and column ]. 

9. As per claim 2, Gupta teaches the method as applied above. Furthermore, Gupta 
teaches the method, wherein said user session state information is a session token form a 
cookie stored on a client for said first user [column 1 1 , line 67]. 
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10. As per claims 6, 39 t 46 and 59, Gupta teaches the method as applied above. 
Furthermore, Gupta teaches the method, wherein: said user session state information is a 
session token from a cookie stored on a client for said first user, said session state information 
was created by an access system [column 12, lines 46-61]; and said access system performs 
said step of attempting to authorize [column 12, lines 54-61]. 

11. As per claim 7, Gupta teaches the method as applied above. Furthermore, Gupta 
teaches the method, wherein: said user session state information is a session token from a 
cookie stored on a client for said first user, said user session state information was created by 
an access system and provided to said application by said access system (logon server 
redirects the browser back to application server, with session information included with the 
redirection) [column 12, lines 42-60]; said application caused said session token to be stored in 
said cookie and said access system performs said step of attempting to authorize [column 12, 
lines 42-60]. 

12. As per claim 9, Gupta teaches the method as applied above. Furthermore, Gupta 
teaches the method, wherein said resource request information includes: an identification of a 
resource type, an identification of a resource, and an identification of an operation [column 11, 
lines 39-45]. 

13. As per claim 10, Gupta teaches the method as applied above. Furthermore, Gupta 
teaches the method, wherein said resource request information includes: an identification of a 
resource type, an identification of a resource; an identification of an operation, and query string 
information [column 11, 39-45 and column 14, lines 33-42]. 
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14. As per claim 1 1 , Gupta teaches the method as applied above. Furthermore, Gupta 
teaches the method, wherein said resource request information includes: an identification of a 
resource type, an identification of a resource, an identification of an operation, and post data 
information [column 11, 39-45 and column 14, lines 33-42]. 

15. As per claim 12, Gupta teaches the method as applied above. Furthermore, Gupta 
teaches standalone or multiple application servers [column 1 1 , lines 10-25]. 

16. As per claim 13, Gupta teaches the method as applied above. Furthermore, Gupta 
teaches the method, wherein: 

said step of attempting to authorize is based on said user session state information and 
said resource request information [column 11, lines 45-51 and column 12, lines 14-24]. 

17. As per claim 14, Gupta teaches the method as applied above. Furthermore, Gupta 
teaches the method further comprising the steps of: creating a resource request object, said 
resource request object represents a request to access said first resource (sending a request to 
access a resource [column 11, lines 46-51]; and creating a user session object, said user 
session object represents said first user after said first user has been authenticated [column 12, 
lines 42-61]. 

18. As per claims 15, 34, 40, 41, 47, 48 and 60, Gupta teaches the method as applied 
above. Furthermore, Gupta teaches the method further comprising the steps of: determining 
whether said first resource is protected [column 12, lines 25-42]; determining an authentication 



Application/Control Number: 09/814,091 Page 8 

Art Unit: 2135 

scheme for said first resource [column 12, lines 25-42]; and determining whether said 
authentication scheme is satisfied based on said user session state information [column 12, 
lines 25-42] and making available to said application indication of whether said user session is 
protected and authentication scheme [column 12, lines 14-42]. 

19. As per claim 16, Gupta teaches the method as applied above. Furthermore, Gupta 
teaches the method further comprising the steps of: 

making available to said application an indication of whether said first resource is 
protected [column 12, lines 25-42]; and making available to said application an indication of 
said authentication scheme [column 12, lines 25-42]. 

20. As per claim 17, Gupta teaches the method as applied above. Furthermore, Gupta 
teaches the method further comprising the steps of: 

determining one or more authentication actions for said first resource [column 12, lines 

25-42]. 

21 . As per claim 18, Gupta teaches the method as applied above. Furthermore, Gupta 
teaches the method further comprising the steps of: 

making available to said application an indication of said one or more authentication 
actions for said first resource [column 12, lines 25-42]. 

22. As per claim 19, Gupta teaches the method as applied above. Furthermore, Gupta 
teaches the method further comprising the steps of: 
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performing at least one of said authentication actions for said first resource [column 12, 
lines 25-42]. 

23. As per claim 20, Gupta teaches the method as applied above. Furthermore, Gupta 
teaches the method further comprising the steps of: 

Determining one or more authorization actions for said first resource [column 12-, lines 

25-42]. 

24. As per claim 21, Gupta teaches the method as applied above. Furthermore, Gupta 
teaches the method further comprising the steps of: 

making available to said application an indication of said one or more authorization 
actions for said first resource [column 12, lines 25-42]. 

25. As per claim 22, Gupta teaches the method as applied above. Furthermore, Gupta 
teaches the method further comprising the step of: 

performing at least one of said authorization actions for said first resource [column 1 2, 
lines 25-42]. 

26. As per claims 26, 35, 42 and 49, Gupta teaches the method as applied above. 
Furthermore, Gupta teaches the method further comprising the step of: 

allowing said first user to access said first resource if said first user is authorized to 
access said first resource [column 12, lines 42-53]. 
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27. As per claim 31, Gupta teaches the method as applied above. Furthermore, Gupta 
teaches the method further comprising the steps of: 

Requesting data from said information form said cookie, said request being made to said 
access system interface [column 12, lines 12-23], receiving said data from said access system 
interface [column 12, lines 41-61] and using said data for an access system service [column 12, 
lines 41-61]. 

28. As per claim 32, Gupta teaches the method as applied above. Furthermore, Gupta 
teaches the method wherein, the cookie was originally provided by a first web agent (a client 
browser) [column 1 1 , lines 45-50]. 

29. As per claim 33, Gupta teaches the method as applied above. Furthermore, Gupta 
teaches the method wherein, the cookie was originally provided by an access system interface 
[column 12, lines 54-61]. 

Claim Rejections - 35 USC § 103 

30. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 
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31 . Claims 3-5, 8, 28-30, 37, 38, 44, 45, 51 , 52, 54, 55, 57 and 58 are rejected under 35 
U.S.C. 103(a) as being unpatentable over Gupta (US Patent No. 6,226,752 B1) in view of Wood 
et al. (hereinafter refereed to as Wood) (US Patent No. 6,668,322 B1). 

32. As per claim 3, 28, 37, 44, 51 , 54 and 57, Gupta teaches the method as applied above. 
Furthermore, Gupta teaches said user session state information is from a cookie stored on a 
client for said first user [column 12, lines 50-62]. Gupta also suggests using encryption method 
to transfer information between access server, application server and client, including 
encrypting session information [column 14, lines 12-26]. Gupta does not clearly teach said user 
information is encrypted and decrypting said user session information. However, Wood teaches 
a method of providing access services, wherein user session information is encrypted and 
decrypting user session state information [column 7, lines 32-63]. Therefore it would have been 
obvious to one having ordinary skill in the art at the time the invention was made to encrypt and 
decrypt user session information as per teachings of Wood and include it into the access 
service taught by Gupta, in order to utilize secure transfer of information between access sever, 
application server and client and protect sensitive information stored in session token (cookie). 

33. As per claims 4, 29, 38, 45, 52, 55 and 58, the combination of Gupta and Wood teaches 
the method as applied above. Furthermore, Wood teaches decrypting encrypted session 
information at an access server, wherein only the access server possessing a key needed for 
decryption [column 7, lines 3263]. 
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34. As per claims 5 and 30 and the combination of Gupta and Wood teaches the method as 
applied above. Furthermore, Wood teaches session information includes identity of the user 
[column 8, lines 9-25]. 

35. As per claim 8, Gupta teaches the method as applied above. Furthermore, Gupta 
teaches the method, wherein session information includes user identity and time period [column 
11, lines 59-66]. Gupta does not explicitly teach session information includes an authentication 
level for a user. However, Wood teaches session information that includes authentication level 
for a user [column 8, lines 9-13 and column 2, lines 35-42]. Therefore it would have been 
obvious to one having ordinary skill in the art at the time the invention was made to include 
authentication level for a user into a session information as per teachings of Wood and include it 
into session information taught by Gupta, in order to allow clients with different level of 
authentication level and further increase security of protected information. 

36. Claims 23-25 are rejected under 35 U.S.C. 103(a) as being unpatentable over Gupta 
(US Patent No. 6,226,752 B1) in view of Wenig et al (hereinafter refereed to as Wenig) (US 
Patent No. 6,286,098 B1). 

37. As per claim 23, Gupta teaches a method for providing access services as applied 
above. Gupta does not explicitly teach determining one or more audit rules for a resource. 
However Wenig teaches determining one or more audit rules for a resource [column 1, lines 55- 
67 and column 10, lines 7-34]. Therefore it would have been obvious to one having ordinary skill 
in the art at the time the invention was made to determine on or more audit rules fro a resource 
as per teachings of Wenig and include it into the method of providing access services taught by 
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Gupta in order to verify occurred events during a particular user session within a client and 
server applications. 

38. As per claims 24 and 25, the combination of Gupta and Wenig teach the method as 
applied above. Furthermore, Wenig teaches making available to an application an indication of 
one or more audit rules for a resource and performing at least one of said audit rules for said 
resource [column 10, lines 7-34]. 



Conclusion 

39. The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. See PTO Form 892. 

Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to Beemnet W Dada whose telephone number is (703) 305-8895. The 
examiner can normally be reached on Monday - Friday (8:30 am - 6:00 pm). 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Y Vu can be reached on (703) 305-4393. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 



July 2, 2004 



Beemnet Dada 
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